A lot with a `lots.sdAmount` less than the `bidIncrement` cannot be bid on

[code423n4]

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L71

Vulnerability details

[M-01] A lot with a lots.sdAmount less than the bidIncrement cannot be bid on

Impact

Everyone can create a lot by calling Auction.createLot() with any arbitrary amount they specify. However, creating a lot with a low sdAmount can result in two potential issues:

• When someone create a lot with an sdAmount that worth less or equal to 5e15 ETH, and the first bid is in place, the next bid will have to be 5e15 ETH or more than the first bid due to this check:

        if (totalUserBid < lotItem.highestBidAmount + bidIncrement) revert InSufficientBid();

This, it may prevent other users from bidding (most users that bid on auctions aims gain not loos)

• Creating Lots with low sdAmount will limit the participation because bidders may not engage with lots that have a low sdAmount, especialy on the ethereum network due to high gas fees.

Proof of Concept

    function createLot(uint256 _sdAmount) external override whenNotPaused {
        lots[nextLot].startBlock = block.number;
        lots[nextLot].endBlock = block.number + duration;
        lots[nextLot].sdAmount = _sdAmount;

        LotItem storage lotItem = lots[nextLot];

        if (!IERC20(staderConfig.getStaderToken()).transferFrom(msg.sender, address(this), _sdAmount)) {
            revert SDTransferFailed();
        }
        emit LotCreated(nextLot, lotItem.sdAmount, lotItem.startBlock, lotItem.endBlock, bidIncrement);
        nextLot++;
    }

    function addBid(uint256 lotId) external payable override whenNotPaused {
        // reject payments of 0 ETH
        if (msg.value == 0) revert InSufficientETH();

        LotItem storage lotItem = lots[lotId];
        if (block.number > lotItem.endBlock) revert AuctionEnded();

        uint256 totalUserBid = lotItem.bids[msg.sender] + msg.value;

        if (totalUserBid < lotItem.highestBidAmount + bidIncrement) revert InSufficientBid();

        lotItem.highestBidder = msg.sender;
        lotItem.highestBidAmount = totalUserBid;
        lotItem.bids[msg.sender] = totalUserBid;

        emit BidPlaced(lotId, msg.sender, totalUserBid);
    }

Tools

Manual Review

Recommended Mitigation Steps

We recommend prevent creating a lot with dust amount that is less than the bidIncrement.

Assessed type

Invalid Validation

[c4-judge]

Picodes marked the issue as unsatisfactory: Overinflated severity

[Picodes]

True but 1e15 is already low enough, isn't it?